Mittwoch, 9. November 2011

We have the problem, that we have a high frequented subnet in our company, with a /23 mask for about 200 devices, which changes a lot.

Now we have exactly 5 addressess left, and have about 430 reserved, but our Windows DHCP servers shows only 5 reservations as inactive.

What to do, if you don't want to look after every single device, to prevent deleting an active one.

Linux and tcpdump are your friends!

To get all arp requests in the subnet start the following command on a linux computer:

tcpdump -i any -s 0 -n -t arp >> /opt/arpdump.txt &

The -i stands for interface - shouldn't matter which interface-s specifies the sneplen-n prevents dns lookups and just prints the ip-t cuts off the timestamp for sorting/dedup reasonsand >> appends the output to the file arpdump.txt

be aware of the & - it prevents tcpdump from closing after you have stopped your putty session

if you want to stop it :

ps -ef | grep tcpdump

look for a row with the first command, and then use

kill PID

where PID is the first value of tcpdump in the ps -ef output

Best time for this running should be about 2-3 weeks to cover all devices, which are only testing purpose, or on vacation...